CVE-2024-5258 — Authorization Bypass Through User-Controlled Key in Gitlab

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-863 — Incorrect Authorization5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 99.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gitlab Debian Gitlab

Timeline

PublishedMay 23

Description

An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5gitlab/gitlab16.10 — 16.10.6+2

▶NVDgitlab/gitlab16.10.0 — 16.10.6+2

▶debiandebian/gitlab< gitlab 17.3.5-2 (sid)

▶gitlabgitlab/gitlab

🔴Vulnerability Details

GHSA

GHSA-w2rm-x498-v7f9: An authorization vulnerability exists within GitLab from versions 16↗2024-05-23

▶

OSV

CVE-2024-5258: An authorization vulnerability exists within GitLab from versions 16↗2024-05-23

▶

📋Vendor Advisories

GitLab

CVE-2024-5258: An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1 where an authenti↗2024-05-23

▶

Debian

CVE-2024-5258: gitlab - An authorization vulnerability exists within GitLab from versions 16.10 before 1...↗2024

▶